The Bitcoin scheme is a rare example of a large scale global payment system in which all the transactions are publicly accessible (but in an anonymous way). We downloaded the full history of this scheme, and analyzed many statistical properties of its associated transaction graph. In this paper we answer for the rst time a variety of interesting questions about the typical behavior of users, how they acquire and how they spend their bitcoins, the balance of bitcoins they keep in their accounts, and how they move bitcoins between their various accounts in order to better protect their privacy. In addition, we isolated all the large transactions in the system, and discovered that almost all of them are closely related to a single large transaction that took place in November 2010, even though the associated users apparently tried to hide this fact with many strange looking long chains and fork-merge structures in the transaction graph.

Untraceable money. I wonder what sort of organization would be interested in such a thing. Hmmm.

Password StandardsUse 6 to 12 letters and/or numbersDo not use one entire piece of personally identifiable information such as your Social Security number, telephone number, or date of birth. Instead, alter or disguise it (e_g., Jane212Smith)Do not use more than 5 instances of a single number or letter, or easily recognized sequences (e.g. 12345 or 11111)Do not use symbols, punctuation marks, or spaces (e.g., #,@, /, *, -.)

It’s 2013. You’re a major financial institution. Get off your IBM mainframe or AS/400-authenticated garbage and get a real authentication system, okay? It’s embarrassing. No, really. While the rest of the planet’s web services – including free email systems Outlook.com & Gmail – are presenting multi-factor authentication with the usage of passphrases containing hundreds of characters, you can’t even get basic passwords right?

Let’s review, shall we?

No passwords larger than 12 characters.[MOUTH AGAPE]

No non-alphanumeric characters. Non-alphanumeric characters are arguably one of the best defenses against brute force account hacking.

No server-side authentication. Fidelity.com doesn’t authenticate itself to you with known information about you & your account to demonstrate that it really is Fidelity.com you’re logging into, and not a man-in-the-middle.

No two-factor authentication. Not even a cellphone solution like Phone Factor.

No authorized workstation activation. (a from of two-factor authentication) There are no personal PCs that you can bless with special cookies to access your account. Basically, anyone can log into your account from any PC in the world. Nice.

Yes, I get that you have an account lockout policy. Fine. But so does everyone else & that doesn’t stop them from implementing complex passwords. I seriously expected this to be fixed a long time ago. Y’all make Morgan Stanley look downright MODERN despite their ridiculous flash-only interface.